seapp_context: explicitly label all seapp context files

seapp_context files need to be explicitly labeled as they are now split cross system and vendor and won't have the generic world readable 'system_file' label. Bug: 36002414 Test: no new 'seapp_context' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: ./cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi \ arm64-v8a --module CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testAospSeappContexts Test: Launch 'chrome' and succesfully load a website. Test: Launch Camera and take a picture. Test: Launch Camera and record a video, succesfully playback recorded video Change-Id: I19b3e50c6a7c292713d3e56ef0448acf6e4270f7 Signed-off-by: Sandeep Patil <sspatil@google.com>

seapp_context: explicitly label all seapp context files
seapp_context files need to be explicitly labeled as they are now split cross system and vendor and won't have the generic world readable 'system_file' label. Bug: 36002414 Test: no new 'seapp_context' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: ./cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi \ arm64-v8a --module CtsSecurityHostTestCases -t \ android.security.cts.SELinuxHostTest#testAospSeappContexts Test: Launch 'chrome' and succesfully load a website. Test: Launch Camera and take a picture. Test: Launch Camera and record a video, succesfully playback recorded video Change-Id: I19b3e50c6a7c292713d3e56ef0448acf6e4270f7 Signed-off-by: Sandeep Patil <sspatil@google.com>
1e149967 · Sandeep Patil · c9cf7361 · 1e149967 · 1e149967 · 1e149967
Commit 1e149967 authored 8 years ago by Sandeep Patil
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -102,6 +102,7 @@ allow adbd selinuxfs:file r_file_perms;
 allow adbd kernel:security read_policy;
 allow adbd service_contexts_file:file r_file_perms;
 allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -46,9 +46,9 @@
 /plat_sepolicy\.cil      u:object_r:rootfs:s0
 /plat_property_contexts  u:object_r:property_contexts_file:s0
 /nonplat_property_contexts  u:object_r:property_contexts_file:s0
-/seapp_contexts     u:object_r:rootfs:s0
+/seapp_contexts     u:object_r:seapp_contexts_file:s0
-/nonplat_seapp_contexts     u:object_r:rootfs:s0
+/nonplat_seapp_contexts     u:object_r:seapp_contexts_file:s0
-/plat_seapp_contexts     u:object_r:rootfs:s0
+/plat_seapp_contexts     u:object_r:seapp_contexts_file:s0
 /sepolicy           u:object_r:rootfs:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /nonplat_service_contexts   u:object_r:service_contexts_file:s0
@@ -252,6 +252,7 @@
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 #############################
 # Vendor files
@@ -260,6 +261,7 @@
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
 /vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
 /vendor/etc/selinux/nonplat_file_contexts   u:object_r:file_contexts_file:s0
+/vendor/etc/selinux/nonplat_seapp_contexts    u:object_r:seapp_contexts_file:s0
 #############################
 # OEM and ODM files

--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -10,9 +10,6 @@ typeattribute webview_zygote mlstrustedsubject;
 # resulting process into webview_zygote domain.
 init_daemon_domain(webview_zygote)
-# Access to system files for SELinux contexts.
-allow webview_zygote rootfs:file r_file_perms;
 # Allow reading/executing installed binaries to enable preloading the
 # installed WebView implementation.
 allow webview_zygote apk_data_file:dir r_dir_perms;
@@ -46,6 +43,8 @@ allow webview_zygote system_server:process getpgid;
 # Interaction between the webview_zygote and its children.
 allow webview_zygote isolated_app:process setpgid;
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
 # Check validity of SELinux context before use.
 selinux_check_context(webview_zygote)
 # Check SELinux permissions.

--- a/private/zygote.te
+++ b/private/zygote.te
@@ -62,6 +62,8 @@ allow zygote self:capability sys_admin;
 allow zygote pmsg_device:chr_file getattr;
 allow zygote debugfs_trace_marker:file getattr;
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
 # Check validity of SELinux context before use.
 selinux_check_context(zygote)
 # Check SELinux permissions.

--- a/public/file.te
+++ b/public/file.te
@@ -262,6 +262,9 @@ type file_contexts_file, file_type;
 # property_contexts file
 type property_contexts_file, file_type;
+# seapp_contexts file
+type seapp_contexts_file, file_type;
 # service_contexts file
 type service_contexts_file, file_type;

--- a/public/installd.te
+++ b/public/installd.te
@@ -29,6 +29,8 @@ r_dir_file(installd, rootfs)
 r_dir_file(installd, system_file)
 # Get file context
 allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
 # Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;